Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??
I'm sure you know this, LanX, but, for those who might not, I've gotta nitpick: Placeholders do not escape metacharacters. When using placeholders, the placeholder values are sent to the database completely separately from the query structure, which removes any need for escaping of any characters - data cannot be confused for commands because the data and the commands are not sent together.

I know this seems like an academic distinction, but I consider it an important one because referring to placeholders as a way of escaping metacharacters encourages people to think of escaping and placeholders as equivalent, so, if placeholders are inconvenient, then, meh, escaping is just as good - which is false. They are not equivalent. Proper escaping can provide excellent protection against injection attacks, but placeholders provide absolute protection.

(There is one exception to this: Database backends which don't actually support placeholders, so the DBD layer has to fake it by using escaping internally. But it's still better to use placeholders in such cases, both for compatibility with databases which do support real placeholders and because the person who wrote the database driver probably knows more than you do about what's needed to properly escape data for that particular backend.)


In reply to Re^3: SQL Placeholders - clarification by dsheroh
in thread SQL Placeholders - clarification by Bod

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2024-04-19 02:30 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found